Washington Privacy Act, as Introduced in the Washington Legislature: A Rapid Q&A

Following in the footsteps of California, members of the Washington state legislature introduced the Washington Privacy Act (“WPA”) last month, which would regulate businesses that collect, use, and share the personal data of Washington residents. The WPA is modeled largely on the European Union’s General Data Protection Regulation (“GDPR”) rather than the California Consumer Privacy Act (“CCPA”) and thus would further complicate the landscape for companies doing business in the United States.

The WPA is subject to amendment, and if it passes, may very well look different. Below we provide a summary of key provisions of the bill as introduced.

Q:  What would be covered?
A:  All “personal data” of “consumers.”

Like the CCPA, the WPA would apply to personal data collected online and offline. The similarity stops there, however. Unlike the CCPA, the WPA defines personal data as “any information relating to an identified or identifiable natural person,” including an identifier such as an identification number or online identifier. The WPA thus adopts the GDPR’s flexible definition instead of taking the CCPA’s more expansive approach. (The CCPA covers all information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”)

Although the WPA is similar to the GDPR, it provides a more explicit carve-out for data that cannot be linked to an individual: the WPA expressly excludes de-identified data, which is data that “cannot be linked to a known natural person without additional information kept separately” or data (i) that has been modified such that the risk of re-identification is small; (ii) that the data controller publicly commits not to attempt to re-identify; and (iii) to which one or more enforceable controls to prevent re-identification have been applied. Depending on how courts interpret it, this carve-out may provide more flexibility than the GDPR and prove particularly useful to companies that use data for analytics or marketing.

Finally, the WPA defines “consumer” as a “natural person who is a Washington resident.” The resident does not have to be in the state of Washington at the time of collection or processing. Unlike the CCPA and the GDPR, the WPA expressly excludes from the definition any employees and contractors of a business when acting in those roles.

Q: Who would be subject to the WPA?
A: Nearly all legal entities doing business in Washington or with Washington residents.

Unlike the CCPA, the WPA does not expressly exclude non-profit entities. Instead, it would cover all legal entities (except state and local governmental entities) that conduct business in Washington or produce products and services that are intentionally targeted to Washington residents, provided that they meet one of the following criteria:

(1) Control or process data of 100,000 consumers or more; or
(2) Derive over 50 percent of gross revenue from the sale of personal information and process or control personal information of 25,000 consumers or more.

The bill, as introduced, does not state whether these are annual requirements. Companies that have an online presence may easily meet the threshold of processing the personal data of 100,000 consumers. And like the CCPA, the WPA excludes information regulated under the Health Insurance Portability and Accountability Act (“HIPAA”) and the Gramm-Leach-Bliley Act (“GLBA”) but would not exempt the entities themselves from coverage.

Moreover, like the GDPR, the WPA allocates responsibilities depending on whether an entity is acting as a “controller” or a “processor.” Controllers (who determine “the purposes and means of processing of personal data”) would be responsible for complying with the obligations set forth in the WPA, while processors (who act on behalf of the controller) would have to follow the instructions of the controller and assist the controller in meeting its obligations. The relationship between the controller and processor would have to be governed by a contract.

Q:  What rights would consumers have under the WPA?
A:  Rights similar to those under the GDPR and CCPA.

Like both the GDPR and the CCPA, the WPA would give consumers the right to access personal data concerning the consumer that the controller holds and, in certain circumstances, require the controller to provide the data in a “structured, commonly used, and machine-readable format.” The WPA also would require controllers to correct inaccurate personal data and, in certain listed situations, to delete personal data at the request of the consumer. 

Consumers also would be able to object to the processing of their personal data and to restrict processing, under certain circumstances. A controller would have to stop processing when the consumer objects to direct marketing, but could continue processing for a purpose other than direct marketing if the controller could show a “compelling legitimate ground” to do so. The bill does not explain what any “compelling legitimate ground” could be. 

Finally, the WPA would prohibit controllers from subjecting consumers to decisions “based solely on profiling which produces legal effects concerning such consumer or similarly significantly affects the consumer.” The WPA explains that such “effects” include “denial of consequential services or support, such as financial and lending services, housing, insurance, education enrollment, criminal justice, employment opportunities, and health care services.” This prohibition likely would affect any automated data analytics performed for the purpose of preventing fraud, detecting money laundering, and so forth. The GDPR also provides for this right, while the CCPA does not mention automated decision-making. 

Finally, the bill would require a controller to notify any third party that received a consumer’s personal data that the consumer has requested to correct, delete, or restrict the processing of the data.

Q: Would companies have to obtain consent from consumers? What kind of consent?
A: Yes, opt-in consent for any processing would be required when the potential risks to the consumer outweigh other interests.

Unlike the CCPA, the WPA would require all controllers to conduct and document risk assessments concerning the processing of personal data before engaging in such processing or whenever the controller changed the processing in a way that would materially impact consumers. These risk assessments would be required for each processing activity, and the WPA would require companies to obtain “consent” for any type of “processing” when a risk assessment showed that the potential risks to the consumer would outweigh the interests of the controller, consumer, other stakeholders, and the public. Companies would have to turn over the risk assessments to the attorney general upon request. The WPA uses the GDPR’s definition of “consent” (a “clear affirmative act establishing a freely given, specific, informed, and unambiguous indication of a consumer’s agreement to the processing”).

While the CCPA requires opt-out consent for the “sale” of consumers’ information, the WPA is potentially broader, more burdensome, and more difficult to implement in that it would require opt-in consent for any processing activity – including internal use – if the risks to the consumer outweighed other interests. Complicating matters further, the bill does not provide any guidance regarding how companies should conduct this risk assessment or how to weigh the risks against other interests. The WPA is also broader than the GDPR, which requires companies to conduct data protection impact assessments only under certain circumstances. 

Q: Would I have to change my privacy policy and/or provide other consumer notices?
A: Yes.

The WPA would require controllers to provide privacy notices “in a form that is reasonably accessible to consumers” and that contain the following:

• Categories of personal data collected
• Purposes for which such categories are used and disclosed to third parties
• Rights that consumers have with respect to personal data
• Categories of personal data that the controller shares with third parties
• Categories of such third parties
• If the controller engages in “profiling,” meaningful information about the logic involved and the significance and likely consequences of the profiling
• If the controller “sells” personal data to data brokers or processes personal data for direct marketing, a statement that the controller engages in such processing, as well as how the consumer may object to such processing

The WPA would also require expansive disclosures regarding the use of “profiling” beyond those required by GDPR. Regardless of how the controller uses the profile, controllers must disclose at the time of data collection “meaningful information about the logic involved and the significance and envisaged consequences of the profiling.” Specifically, if the company uses profiling for direct marketing purposes (or sells profiles for such), it must disclose this and provide mechanisms for the consumer to object.

Unlike the CCPA, the WPA does not mandate any particular language in the privacy policy or a “Do Not Sell My Personal Information” link on the company’s website.

Q: Does the WPA include any unique provisions?
A: Yes, it imposes restrictions on the use of facial recognition technology.

The WPA would impose requirements on both controllers that use, and processors that provide, facial recognition technology. Specifically, controllers that use such technology for profiling would be required to provide meaningful human review of any decisions based on the technology where such decisions produce the “legal effects” and “similarly significant effects” described above. Controllers also would be required to obtain consent from consumers before using such technology. A consumer would be deemed to “consent” by entering a physical premises where such notice is conspicuously displayed, or using online services on which such notice has been conspicuously provided. Processors that provide facial recognition services would be required to (i) provide information about the capabilities and limitations of the technology, and (ii) include in contracts with controllers a requirement that such technology not be used to unlawfully discriminate. The bill defines “facial recognition” to mean a “technology that analyzes facial features and is used for the unique personal identification of natural persons in still or video images.”

Q: If a business is already in compliance with the GDPR, would compliance with the WPA impose a significant additional burden?
A: Compliance with the GDPR will give businesses a leg up, but additional work may be required.

Though the WPA is modeled after the GDPR, there are several notable differences. The WPA does not require an initial lawful basis for processing; however, it does allow consumers the opportunity to restrict processing or withdraw consent in situations other than those allowed under the GDPR, thus requiring organizations to analyze additional operational impacts. Moreover, the GDPR’s requirement to conduct Data Protection Impact Assessments is limited to situations where processing creates a high risk to the rights and freedoms of natural persons; the WPA requires risk assessments for all processing of personal data. Finally, although the WPA does not borrow the GDPR’s requirements of data minimization and privacy-by-design, embedding these concepts throughout the organization could make compliance less burdensome.

Q: How would the WPA be enforced?
A: By the Washington attorney general.

The Washington attorney general could bring a civil action under the Washington consumer protection act against a controller or processor that violates the WPA. Companies would be given 30 days to cure violations related to privacy notices, documented risk assessments, the use of de-identified data, and compliance with the exemptions. They would be subject to an injunction and liable for civil penalties of up to $2,500 per violation, or $7,500 per intentional violation. There is no private right of action contained in the law.

Q: When would I have to be in compliance?
A: By December 31, 2020.